Commit Graph

58476 Commits

Author SHA1 Message Date
Santiago Aboy Solanes
1257f60ece [CSA][cleanup] TNodify builtins reflect gen
Bug: v8:6949
Change-Id: I25d2247f149b296157cb422342cb7c218f724496
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1807363
Reviewed-by: Dan Elphick <delphick@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63834}
2019-09-17 13:11:52 +00:00
Joshua Litt
7988045ced [tidy] cleanup commented out code
Change-Id: Ie233f093377bcdbab95a2f34b6c609a651f9db62
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1787980
Auto-Submit: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63833}
2019-09-17 12:58:03 +00:00
Clemens Hammacher
8ced2d21d6 [wasm] Stage far jump table behind --future
This will give us much more test coverage and fuzzer coverage.

R=mstarzinger@chromium.org

Bug: v8:9477
Change-Id: Iad76c2b5b8c7a29b4168bbefa38bac7d92a30599
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1807367
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63832}
2019-09-17 12:55:42 +00:00
Andreas Haas
65951323ff [arm64] Remove arm64-specific CountTrailingZeros function
The {CountTrailingZeros} function is at least on one hot code path,
and there it causes significant overhead. With this CL I just call the
base::bit:: version of {CountTrailingZeros} directly. This allows the
compiler to compile it to a single hardware instruction.

R=v8-arm-ports@googlegroups.com

Bug: v8:9396
Change-Id: I81eccc5fce9b9856d41c503bd1e4a07287eb6e1e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803648
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63831}
2019-09-17 12:50:21 +00:00
Mythri A
0eb4b90fac [cleanup][CSA] TNodify ic-accessor-assembler.cc
TNodifies most of ic-accessor-assember. Most of the remaining Node* are
because of the Parameters.

Bug: v8:6949, v8:9396
Change-Id: Ife9fd96c5e46dee02fdc60e5825562d7ae89f8f9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803634
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63830}
2019-09-17 12:21:41 +00:00
Jakob Kummerow
982412d96f [tests] Speed up mjsunit/packed-elements by 1500x
Adding a %SimulateNewspaceFull runtime function speeds up this test
from 7m21s to 0.3s (on arm.optdebug with --jitless).
Bonus content:
- speed up mjsunit/md5 by 23x (5m25s -> 7.5s)
- speed up mjsunit/string-replace-gc by 8x (1m37s -> 12s)

Bug: v8:9700, v8:9396
Change-Id: Id00d0b83b51192edf1d5493b49b79b5d76e78087
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1807355
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63829}
2019-09-17 12:05:11 +00:00
Georg Neis
c98aa0e275 Clean up deferred handle scopes
- There was no use of DisallowDeferredHandleDereference, so remove the
  corresponding assertion scope and related code.
- Make DeferredHandleScope::Detach return a unique_ptr rather than a
  raw pointer for clarity.
- Store DeferredHandles in compilation info as unique_ptr rather than
  shared_ptr, as it's never shared.
- Remove some unused methods.

Change-Id: I8327399fd291eba782820dd7a62c3bbdffedac4d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1805645
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63828}
2019-09-17 11:45:55 +00:00
Joey Gouly
93ce2b42b6 [arm64][turbofan] Delete unused node: Arm64StrCompressTagged
The use of it was deleted in https://chromium-review.googlesource.com/c/v8/v8/+/1601151.

Change-Id: I9810d180140e737c5a2763e4cdc4066266d654e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803345
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63827}
2019-09-17 11:28:05 +00:00
Jakob Kummerow
a2aa28701c [ubsan] Fix 32-bit UBSan builds
By providing a custom implementation of __mulodi4(). This function
usually comes from libcompiler_rt, but our build system doesn't
provide that.

Bug: v8:9665
Change-Id: Ia72f0c23e83724f73ec72b404706c9a40ed861ee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1806682
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63826}
2019-09-17 11:17:56 +00:00
Andreas Haas
9d7b45620d [wasm] Check for invalid function index in init expr
R=clemensh@chromium.org

Bug: chromium:1003241
Change-Id: I2c37404746bd4807040c787490fc7851ea6988d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1807359
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63825}
2019-09-17 10:37:33 +00:00
Maya Lekova
f5a8402350 [turbofan] Switch serializer hints to FunctionalSet
Bug: v8:9720
Change-Id: I681c521c7d368148d41aaa4a0694194e33d9a091
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1800578
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63824}
2019-09-17 10:23:03 +00:00
Clemens Hammacher
9febc505bd Reland "Remove all custom CopyCharsUnsigned implementations"
This is a reland of 5d8c489000

Original change's description:
> Remove all custom CopyCharsUnsigned implementations
>
> It's unclear whether the custom implementation have any advantage over
> the standard library one's.
> Since we update our toolchain and standard library regularly, it might
> well be the case that the custom implementations are slower by now.
>
> Thus this CL removes all {CopyCharsUnsigned} implementations and
> implements {CopyChars} generically using {std::copy_n}.
>
> Note that this does not touch the {MemMove} and {MemCopy} functions
> yet, as we have seen regressions when trying to remove them before
> (https://crbug.com/v8/8675#c5).
>
> R=leszeks@chromium.org
>
> Bug: v8:9396
> Change-Id: I97a183afebcccd2fbb567bdba02e827331475608
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1800577
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63808}

Bug: v8:9396
Cq-Include-Trybots: luci.v8.try:v8_linux64_ubsan_rel_ng
Change-Id: I9cd754ebe6b802bb4aabd6d2a448de41da040874
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1807357
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63823}
2019-09-17 10:20:53 +00:00
Dan Elphick
3e31cf617a [cleanup] Fix clang-tidy warnings for missing overrides
Remove a redundant default destructor definition and add final to
another which is overriding a virtual constructor.

Bug: v8:9396
Change-Id: I917f3c6058bfae8cbcd3c4ffb0817f78e8214552
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1807360
Commit-Queue: Dan Elphick <delphick@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Dan Elphick <delphick@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63822}
2019-09-17 10:01:03 +00:00
Andreas Haas
2172208dbc [arm64] Mark PopLowestIndexAsCode as inline
The function CPURegList::PopLowestIndex is called many times in the
arm64 simulator. However, the simulator does not need a full CPURegister
but only its register code. This CL creates a second PopLowestIndexAsCode
method which only returns the register code, and also marks the function
as inline. This speeds up the mjsunit/wasm/asm-wasm-f32 test from
1:45min to 1:35min in the optdebug build on my machine.

R=v8-arm-ports@googlegroups.com

Bug: v8:9396
Change-Id: I8cdcb2e0916dbb40e4a30ad5cd8f620b0358d08e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803647
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63821}
2019-09-17 08:11:50 +00:00
v8-ci-autoroll-builder
a82ade1f73 Update V8 DEPS.
Rolling v8/build: 2d9fa32..3bf1aad

TBR=machenbach@chromium.org,tmrts@chromium.org

Change-Id: Iea4e3425c2474e1035fe054fbe198a03ccea11f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1807003
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#63820}
2019-09-17 07:33:50 +00:00
Jakob Gruber
b8127393eb [compiler] Use PersistentMap in store-store elimination
Store-store elimination can potentially allocate many temporary data
structures, all of which are contained in its so-called temporary
zone. The zone is 'temporary' in the sense of only existing for the
lifetime of the StoreStoreEliminationPhase; but all allocated memory
remains alive until the phase terminates.

Investigation of a pathological case (see the linked bug) showed this
zone reaching a size of 4GB. The cause in this specific case was the
UnobservableSet data structure, conceptually an immutable set (i.e.
each operation creates a full copy). This CL changes the
UnobservableSet to use a PersistentMap backing store rather than a
ZoneSet. PersistentMap is intended for exactly this use-case, since
copies are basically free and updates only change small parts of the
data structure.

Memory consumption for the linked pathological case drops from 4GB to
70MB and execution speeds up from 20s to 17s.

Bug: v8:9574
Change-Id: I902b27f1aa42b88ddd905ee941df24028a68a9bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1795351
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63819}
2019-09-17 07:22:10 +00:00
Frank Tang
33092580ef [Intl] Better annotation of bug number
Bug: v8:9742
Change-Id: Ifd162c4c8c52efff7da98281c9dfed53a473026c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1808405
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63818}
2019-09-17 06:25:20 +00:00
v8-ci-autoroll-builder
e87b51668b Update V8 DEPS.
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/ecd1092..b19a360

Rolling v8/third_party/depot_tools: 73ec83f..2c210a4

Rolling v8/third_party/googletest/src: cad3bc4..f2fb48c

Rolling v8/tools/clang: 27f1edd..b6e35ab

TBR=machenbach@chromium.org,tmrts@chromium.org

Change-Id: I35752af2f2b1a052d3b6eed35bc90414626f9198
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1807677
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#63817}
2019-09-17 03:56:10 +00:00
Frank Tang
dbc824d85b [Intl] Fix resolvedOptions of PluralRule
Bug: v8:9727
Change-Id: I634902e89c0c79fb95994e0a3a971cbc7889c09c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803788
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63816}
2019-09-16 22:00:11 +00:00
Frank Tang
133219ad5c [Intl] Throws exception on grandfather and private locale
Bug: v8:9613
Change-Id: Ie91a5bd39c82b6baf33fd84dee8420d2c4a5f504
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803783
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63815}
2019-09-16 20:59:11 +00:00
Ng Zhi An
428c2a383d [wasm-simd] Implement f32x4.sqrt for ia32
Bug: v8:8460
Change-Id: I8e72aa194cfc9797f0451d54638b6ba152d32971
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1797269
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63814}
2019-09-16 20:26:01 +00:00
Suraj Sharma
71ebd28db0 Handle IC Store slow on GlobalObjects
The new Smi handler created to handle StoreIC_Slow and
KeyedStoreIC_Slow can get incorrectly assigned to global Objects.
Added an extra Check to avoid that.

Bug: chromium:1002628
Change-Id: I370e617e791792c98fa7b0cbf89ee7458f4e4c68
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803659
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Suraj Sharma <surshar@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#63813}
2019-09-16 19:10:18 +00:00
Irina Yatsenko
65a0f7578e Guard against overflow in CopyImpl if requested count is zero
Bug: v8:9739
Change-Id: I6ec23018e6e2725e47efcc9a5d95dda3713d064e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803792
Commit-Queue: Irina Yatsenko <irinayat@microsoft.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63812}
2019-09-16 18:01:52 +00:00
Fernando Serboncini
0999cfb4e8 Add adjust_os_scheduling_parameters flag for v8 isolate
This will allow the test infrastructure to bypass isolate scheduling
restrictions.


Bug: chromium:1002582
Change-Id: Ib22a599cf6c826c3d412898520dba6f4045175b2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1801995
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Fernando Serboncini <fserb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63811}
2019-09-16 18:00:48 +00:00
Adam Klein
0aac347e12 Revert "Remove all custom CopyCharsUnsigned implementations"
This reverts commit 5d8c489000.

Reason for revert: Fails on UBSan bot:
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20UBSan/7946

Original change's description:
> Remove all custom CopyCharsUnsigned implementations
> 
> It's unclear whether the custom implementation have any advantage over
> the standard library one's.
> Since we update our toolchain and standard library regularly, it might
> well be the case that the custom implementations are slower by now.
> 
> Thus this CL removes all {CopyCharsUnsigned} implementations and
> implements {CopyChars} generically using {std::copy_n}.
> 
> Note that this does not touch the {MemMove} and {MemCopy} functions
> yet, as we have seen regressions when trying to remove them before
> (https://crbug.com/v8/8675#c5).
> 
> R=​leszeks@chromium.org
> 
> Bug: v8:9396
> Change-Id: I97a183afebcccd2fbb567bdba02e827331475608
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1800577
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63808}

TBR=leszeks@chromium.org,clemensh@chromium.org

Change-Id: Ia16da942c7c28ba71076d1e3b0b8a6388a4ba359
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9396
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1806103
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63810}
2019-09-16 17:14:01 +00:00
Santiago Aboy Solanes
c9fa0c5f01 [CSA][cleanup] TNodified return types in interpreter-generator
There were two already TNodified methods, but lacking TNodification
on the variables that they were assigning to.

Now only CallRuntimeN and ExitPoint remain in interpreter-generator.

Bug: v8:6949, v8:9396
Change-Id: I66f74306b88c2254ad8ed1cb2c17187afa4fe0ad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1805644
Auto-Submit: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63809}
2019-09-16 16:52:17 +00:00
Clemens Hammacher
5d8c489000 Remove all custom CopyCharsUnsigned implementations
It's unclear whether the custom implementation have any advantage over
the standard library one's.
Since we update our toolchain and standard library regularly, it might
well be the case that the custom implementations are slower by now.

Thus this CL removes all {CopyCharsUnsigned} implementations and
implements {CopyChars} generically using {std::copy_n}.

Note that this does not touch the {MemMove} and {MemCopy} functions
yet, as we have seen regressions when trying to remove them before
(https://crbug.com/v8/8675#c5).

R=leszeks@chromium.org

Bug: v8:9396
Change-Id: I97a183afebcccd2fbb567bdba02e827331475608
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1800577
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63808}
2019-09-16 16:24:42 +00:00
Dominik Inführ
167a89469d [heap] Split old-to-new remembered set
Split OLD_TO_NEW remembered set and add OLD_TO_NEW_SWEEPING. The
OLD_TO_NEW remembered set is moved to OLD_TO_NEW_SWEEPING during
mark-compact. OLD_TO_NEW_SWEEPING is then modified by the sweeper.
Before using the page again, OLD_TO_NEW and OLD_TO_NEW_SWEEPING are
merged again.

This means only the main thread modifies OLD_TO_NEW, the sweeper only
removes entries from OLD_TO_NEW_SWEEPING. We can use this property
to make accesses non-atomic in a subsequent CL.

Bug: v8:9454
Change-Id: I9057cf85818d647775ae4c7beec4c8ccf73e18f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771783
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63807}
2019-09-16 16:15:30 +00:00
Georg Neis
97c89ebbe2 [turbofan] Fix and simplify optimization of access on global proxy
We used to have two special cases for named accesses on the global
proxy, one based on seeing the global proxy constant in the graph and
on based on seeing the global proxy map either in the feedback or in
the graph. A change I made a while ago accidentally disabled the second
one. This CL restores that.

Moreover, given how things are set up now (this might have been
different before), the first optimization is subsumed by the second
one, so this CL also removes the first one.

Finally, this CL records an accumulator hint in the case of a load,
which improves precision of the serializer for concurrent inlining.

Tbr: tebbi@chromium.org
Bug: v8:7790
Change-Id: I255afc6c79e5c5c900b3ccfcd8459d836d21e42b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1801954
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63806}
2019-09-16 15:43:08 +00:00
Peter Marshall
abf47eee04 [cpu-profiler] Removed deprecated methods, advance deprecation
Remove CollectSample() and SetIdle(), advance deprecation of GetCallUid()

Change-Id: Idb8c4f4d14bc5318a430e3549aaff7a41a911557
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1805641
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63805}
2019-09-16 15:37:47 +00:00
Bruce Dawson
10360127e8 Speculative fix to crashes from a CPU bug
For the last few months Chrome has been seeing many "impossible" crashes
on Intel Gemini Lake, family 6 model 122 stepping 1 CPUs. These crashes
only happen with 64-bit Chrome and only happen in the prologue of two
functions. The crashes come and go across different Chrome versions.
Analysis of most of the crashes shows that the address of the crashing
instruction follows some patterns:

When crashing in GetFieldIndex() the last byte of the address is always
1c, 5c, 9c, or dc.

When crashing in UpdateCaches (fewer unique samples) the last byte of
the address is always 5d or 9d.

The address of the function is 0xc or 0xd bytes earlier so the crashing
functions always start with an address that ends in 10, 50, 90, or d0.

Those addresses are for the crashes on a load of the __security_cookie.
The crashes also occasionally happen on the two instructions that follow
the __security_cookie load in which case the crashing instruction's
address has been seen to end with 23 or a3. This corresponds to a
function start address of 10 or 90.

Since the crash involves reading incorrect instruction bytes when
crossing a 16-byte boundary and since the crash appears to only happen
with particular 16-byte alignments it seems reasonable to force the
function's alignments to a multiple of 32 to see if this reliably
avoids the crashes. This change uses the gcc/clang __attribute__
directive to force 32-byte alignment. I have tested this change enough to
verify that it triggers the desired alignment (with up to 31 "int 3"
instructions added for padding) but since I have never reproduced this
crash I have no way of testing its efficacy.

Bug: chromium:968683, chromium:964273
Change-Id: Ia6e1c6d1e044b84d274817374b25523303e78b51
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803775
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Bruce Dawson <brucedawson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63804}
2019-09-16 15:33:08 +00:00
Joshua Litt
798cb9045c Reland "[top-level-await] Implement top-level-await in V8"
The first land did not correctly handle exceptions for already evaluated
modules.

Original description:
Implements AsyncModules in SourceTextModule. However, there is no
support in the parser or D8 for actually creating / resolving
AsyncModules. Also adds a flag '--top-level-await,' but the only
external facing change with the flag enabled is that Module::Evaluate
returns a promise.

Bug: v8:9344
Change-Id: I24725816ee4a6c3616c3c8b08a75a60ca9f27727
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1797658
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63803}
2019-09-16 15:29:17 +00:00
Clemens Hammacher
b53ff5f4e3 Add test mode to ignore allocation hints
This randomizes new memory allocations and reservations. It's currently
used to test far jump tables in wasm better, but might be helpful
generally for testing arbitrary virtual memory layouts.

R=mstarzinger@chromium.org

Bug: v8:9477
Change-Id: Ie60b7c6dd3c4cd0f3b9eb8e2172912e0851c357d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803340
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63802}
2019-09-16 15:18:27 +00:00
Jakob Kummerow
9f7ae50aa8 [ubsan] Make ARM and ARM64 UBSan-clean
Bug: v8:3770,v8:9666
Change-Id: I7b7652887d6b60fbb80e1100834bc7c9df0544d8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1792909
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63801}
2019-09-16 15:03:45 +00:00
Artem Serov
66f2519628 Reland "[turbofan,arm64] Add float loads poisoning."
This is a reland of 2869d9de0d

Original change's description:
> [turbofan,arm64] Add float loads poisoning.
>
> Also extend load poisoning testing for arm and arm64.
>
> This is a port of I1ef202296744a39054366f2bc424d6952c3bbe9d,
> originally introduced for arm.
>
> Change-Id: I7d317bba6be633dd1e563daa7231d3c5e930f8e4
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691032
> Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63519}

Change-Id: I8155456f6ad571897f6274a86e58fec6cd66ee7d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1800583
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/master@{#63800}
2019-09-16 14:57:08 +00:00
Jose Dapena Paz
d16cda8fc3 GCC: declare noexcept move constructor/assign operators of V8StackTraceId
blink::BlinkCloneableMessage declares default implementation of
move operator/assign operator that requires v8_inspector::V8StackTraceId
to declare its move constructor/assign operator too.

Bug: chromium:819294
Change-Id: Iaf626ee8245efcba372a17cdf2de448e691d41d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1796062
Commit-Queue: José Dapena Paz <jose.dapena@lge.com>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63799}
2019-09-16 14:17:24 +00:00
Tobias Tebbi
702005af44 [turbofan] disable load-elimination overlapping fields check in release mode
Bug: chromium:996097
Change-Id: I2d3bb6e1b844c1ffae0a5e44b1125593402fb7be
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1806675
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63798}
2019-09-16 14:01:24 +00:00
Clemens Hammacher
633d8307cf [wasm] Add test for multiple code spaces
This CL adds a flag to reduce the initial code space reservation size
(--wasm-max-initial-code-space-reservation), and adds a test which creates at
least four separate code spaces and calls between them.

R=mstarzinger@chromium.org

Bug: v8:9477
Change-Id: I1b4c430266962eb94dbe4b381f46b03c2ec07fc2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1782999
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63797}
2019-09-16 13:57:46 +00:00
Joshua Litt
20bf2b7b22 [scanner] Allow escaped keywords to be property names
Bug: v8:9647
Change-Id: Ib6449fadc42130a019788ba3a22e93bfd0de789b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803514
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63796}
2019-09-16 13:56:41 +00:00
Joshua Litt
7c9c1039b4 [protectors] Move PromiseThenLookupChain protector to Protectors
Bug: v8:9463
Change-Id: Ife5ea730166e76bdbe8b18eac1eb5688b7aaf150
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1800513
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63795}
2019-09-16 13:52:51 +00:00
Dan Elphick
bec49d81df [csa] Fix parameter casting on empty arrays
Changes the Array(Includes|IndexOf)(Holey|Packed)Doubles builtins to
first check the input array is not empty before attempting to cast it to
a FixedDoubleArray as an empty array of doubles can be backed by a
FixedArray.

Bug: chromium:1004061
Change-Id: I12f302afa9596fb8a5581849662cd67fcc06f92b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1806676
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63794}
2019-09-16 13:49:21 +00:00
Victor Gomes
e35175a764 Reland "[Heap] Create a fast path for young allocations."
Disable a flaky test.

This is a reland of cbf028e8b8

Bug: v8:9714
Change-Id: Ifc136ad80bd7f2a0ae67a15e688a3d08ceed3c44
Cq-Include-Trybots: luci.v8.try:v8_linux_gc_stress_dbg
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1806915
Auto-Submit: Victor Gomes <victorgomes@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@google.com>
Cr-Commit-Position: refs/heads/master@{#63793}
2019-09-16 13:25:51 +00:00
Clemens Hammacher
7c5af8ba13 [wasm] Patch new jump tables with existing functions
If a new code space is added after functions have already been
compiled, we need to initialize the new jump tables to contain all
these functions.

R=mstarzinger@chromium.org

Bug: v8:9477
Change-Id: Ie960966ec5ad667e0626f86eceb7c2b4da72e5bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803337
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63792}
2019-09-16 13:16:24 +00:00
Ross McIlroy
ba9775fd2e [CSA][cleanup] TNodify builtins-object-gen
Also TNodify:
 - LoadJSPrimitiveWrapperValue
 - GetSuperConstructor
 - InstanceOf

BUG=v8:6949,v8:9396

Change-Id: I4b39b418cdf01bd72e35441f037d16ede9c89ce9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803639
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63791}
2019-09-16 13:09:32 +00:00
Clemens Hammacher
82176ac3f5 [wasm] Fix allocation of win64 crashpad data
Ensure that the "padding" (actually needed for crashpad) is allocated
at the beginning of the new code space.

R=ahaas@chromium.org

Bug: v8:9477
Change-Id: I44b9e9feb559788e286fd5c57df90db7cf7f5340
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803650
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63790}
2019-09-16 12:45:01 +00:00
Maya Lekova
2f9d2fc1ce [turbofan] Add a missing object to the broker
Bug: chromium:1003730
Change-Id: Id8ca302b0b17ce08821507bb686bf241416eee67
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1806913
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63789}
2019-09-16 12:39:26 +00:00
Clemens Hammacher
fa0ec09f21 Fix two warnings issued by g++
A local build with g++ 8.3.0 failed with two warnings. This CL fixes
them.
The errors were:

1) error: 'char* strncat(char*, const char*, size_t)' output truncated
   before terminating nul copying as many bytes from a string as its
   length [-Werror=stringop-truncation]
2) error: 'char* strncpy(char*, const char*, size_t)' specified bound
   depends on the length of the source argument
   [-Werror=stringop-overflow=]

R=petermarshall@chromium.org

Bug: v8:9396
Change-Id: I175a72435becd694e4151a64e538084ec17d8500
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803636
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63788}
2019-09-16 12:23:41 +00:00
Ross McIlroy
61085f2cb3 [CSA] Update TryLookupProperty to JSReceiver type.
The current JSObject type is too specific as it can also be passed proxy
objects.

BUG=chromium:1003919,v8:6949

Change-Id: I2766868543827fc5ee6f99f3b120c7ffe9cfed39
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803651
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63787}
2019-09-16 12:20:31 +00:00
Jakob Kummerow
b823bf1ba6 [test][cleanup] Revive --time, speed up some tests
This reimplements the "--time" option of run-tests.py to print the
20 slowest tests, on top of json_test_results infrastructure just
like the bots do it.
Additionally this CL speeds up a bunch of slow tests.

Bug: v8:9396
Change-Id: I40797d2c8c3bfdd310b72f15cd1a035844b7c6f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803635
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63786}
2019-09-16 11:24:11 +00:00
Liviu Rau
2804a4a9f1 Remove MIPS(64) builders from V8 infra
Removed all references to builds [v8_mips_compile_rel,
V8 Mips - builder, V8 Mips - big endian - nosnap] from
configuration files in master branch. Also removed
dead code and unused artifacts that resulted from the
above mentioned changes.

Bug: v8:8858
Change-Id: If9f8d9db433a50997f35219ef4ea9d8a91a1a495
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1798431
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Commit-Queue: Liviu Rau <liviurau@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63785}
2019-09-16 11:20:11 +00:00